I don't see the problem with grabbing binary blobs from other trusted projects. Isn't it sufficient just to be able to prove the hashes match what you'd get directly from the origin? If you got your blob from (say) Debian, and their blobs were backdoored, the world has... much bigger problems to worry about. Feels like trying to verify that your pharmacy is making your medication from scratch, lest their supplier had contaminated it.